Report: Health System Cybersecurity Budgets Increasing, But Lack of AI Governance Threatens Security

Healthcare organizations are making significant progress in strengthening their security posture, though there are several critical areas in need of improvement, according to recently released HIMSS analysis. 

The 2024 HIMSS Healthcare Cybersecurity Survey Report, the latest edition of an annual survey of healthcare cybersecurity professionals, found a need for more robust insider threat programs, improved third-party risk management and better monitoring of artificial intelligence use. 

By implementing more robust cybersecurity defenses, healthcare organizations are better equipped to protect patient data and patent safety, the 2024 report said. 

“This year’s survey shows that tools alone are not enough—stronger governance is essential, with critical areas including artificial intelligence, insider threat management, and third-party risk management. The weakest link in any security program is the people, which is why education, tools, and policies remain the most important lines of defense. We are making progress, but we must do more to stay ahead of today’s evolving threats and to be prepared for future threats.” 

Organizations are dedicating more resources to fortify cybersecurity defenses than in previous years, strategically aligning budgets with critical vulnerabilities. 

A slight majority of respondents (52%) said they anticipated their organizations’ overall IT budgets would increase from 2024 to 2025, while 10% indicated a decrease, and 28% of respondents reported no change in their overall IT budgets. Ten percent of respondents did not know about the anticipated change in IT budget from 2024 to 2025. 

As artificial intelligence becomes increasingly ubiquitous in healthcare, the report noted that a lack of formal AI governance increases risk, and healthcare cybersecurity professionals say there is limited monitoring of AI usage. 

When asked whether their organizations have approval processes in place for AI technologies, nearly half (47%) of respondents indicated that their organizations do have approval processes, while 42% reported that they do not. An additional 11% were unsure whether such processes exist within their organizations. 

Other findings include: 

• Phishing is the most common method of cyberattack for significant security incidents.  
• Gamification, tabletop exercises and interactive workshops boost workforce engagement threat education.
• AI-Driven Attacks such as deepfakes are an emerging threat. 
• Fewer ransomware victims are reporting paying ransom. 

As the threat landscape evolves, healthcare organizations must stay vigilant while ensuring cybersecurity enables business and clinical care. Continued adaptation and innovation will be essential for navigating an increasingly digital world. 

Explore the full 2024 HIMSS Cybersecurity Survey Report to learn more. 

For more than 15 years, the annual HIMSS Cybersecurity Survey Report has been a trusted source for healthcare and technology professionals and communities, providing invaluable insights into the evolving landscape of healthcare cybersecurity.